search

IBM / tnz

Tn3270 to Z Python library
https://ibm.github.io/tnz/
Apache License 2.0
56 stars 13 forks source link

How connect to HOD SERPRO (hod.serpro.gov.br)? Or collect CONFIGs needed from HOD Java folders? #93

Open folk-digital opened 6 months ago

folk-digital commented 6 months ago

Hi,

It's possible using TNZ library to connect to connect host SERPRO (hod.serpro.gov.br) that recommend Host On Demand (HOD) to clients access mainframe applications on your network (w/ Web Browser Session Time Expire )?

I try connect w/ simple ZTI script above, but a I haven't sucess to view any load information on screen:

from tnz.py3270 import Emulator em = Emulator(visible=True, args=["-trace", "-tracefile", "ati.log"]) em.connect('hod.serpro.gov.br',port=23) em.wait_for_field() print(em) em.terminate()

Follow LOG file! (attachment)

When I using HOD without logon in SERPRO network (Web Session) must be show at least "initial screen" (attachment) w/ notice about browser session expiration (no longer sesssion invalid).....but w/ ZTI not even that!

image

What's configuration is necessary? The problem is that missing Browser Session?

On workstations w/ HOD installed and setting, it's possible collect configurations needed from HOD default files (jnlp/hodcivws) and folders?

Thanks for any support/help/contribution!

ati.log

najohnsn commented 6 months ago

I can see from the screenshot that the port used in HOD is different from what is in your code. Trying myself using that port in the screenshot, I got this:

ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)

Sometimes SET ZTI_SECLEVEL=1 helps. Didn't help me in this case.

I attempted a little more debugging using openssl s_client -connect and curl -v. I came across the following message:

* TLSv1.0 (IN), TLS header, Unknown (21):

I'm not a TLS expert, but I believe this may be an indication that the server is using a protocol that has been deprecated: https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1. If this is the case, you will not be able to connect with tnz/zti until the server is updated to use a more modern/secure protocol.

folk-digital commented 6 months ago

Thank you for answer, @najohnsn !

I can see from the screenshot that the port used in HOD is different from what is in your code. Trying myself using that port in the screenshot, I got this:

ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)

I'm use port 443 because I analyzed my connection w/ Wireshark using HOD to access the same host and it track back the port 443 during whole communication.

I suppose that the host use this settings quoted this documentaion IBM Docs:

sesnsecurity

Sometimes SET ZTI_SECLEVEL=1 helps. Didn't help me in this case.

I attempted a little more debugging using openssl s_client -connect and curl -v. I came across the following message:

* TLSv1.0 (IN), TLS header, Unknown (21):

I'm not a TLS expert, but I believe this may be an indication that the server is using a protocol that has been deprecated: https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1. If this is the case, you will not be able to connect with tnz/zti until the server is updated to use a more modern/secure protocol.

I'm not also a TLS expert, but following your logic about trouble source, I've resolve isolate the error from rest of library and I've start tests using only Python SSL Lib and OpenSSL Toolkit, with support of Google, Stackoverflow and OpenSSL Cookbook, especially Chapter 2. Testing TLS with OpenSSL.

As I said first message, I trying discover how HOD do it connect w/ IBM Server in this specific host to reproduce this behavor in python emulators like TNZ/ZTI.

Because of that, I've discard the 23 port in my SSL/TLS tests. According [IBM Docs]() probaly the host is using HOD environment w/ WebSphere to reroute client on context of browser (Portal Server).

image

redcnfg1

I began w/ very simple Python Script to access/analize ("logging") requests (HTTPS) to host:443 using "Requests Lib" anda "Python Socket / SSL" to TLS, but I always got the follow response w/ SSLError [SSL: CERTIFICATE_VERIFY_FAILED]. Of course, I hadn't sent certificate to verification in my requsitions/calls.

Based of behaivour the host using HOD to access terminal, I suspected that it config HOD to use this two approuch to SSL/TLS connection: Web Start client, Transport Layer Security (TLS) AND Appendix C. P12 Keyring utility

Then, I went looking for CustomizedCAs.p12 file in my computer from HOD folders and I ended up finding it. With support of some IBM Redpapers from googling, I discovered how convert p12 files to PEM files to using in my tests.

I adapt my previous scripts to send the CustomizedCAs.PEM file in your requests/calls and finally :tada: SUCCESS :tada: (The previous error apparentily it disappeared!).

I obtain this logging w/ Requests Lib

test_reqSSL_HostSERPRO_Port443_hodCAs_2024y02m18d13h17m.log

And w/ Python Socket / SSL, using this Pythonic Script, Ive obtain this TLSv1.2

Now, how I can pass CustomizedCAs.PEM file to TNZ/ZTI open TLS connection w/ IBM Telnet Server and load terminal emulator w/ same screen showed by HOD (top)?

najohnsn commented 5 months ago

I appreciate the thorough investigation.

My reaction to CERTIFICATE_VERIFY_FAILED is that it is your machine that failed verification of the server certificate. But, by default, tnz does not verify the server certificate. So, I expect that you either won't see this with tnz/zti or CERTIFICATE_VERIFY_FAILED is for the server failing to verify the client certificate.

It's not "normal" but servers can authenticate clients with a client certificate. If this requirement is causing CERTIFICATE_VERIFY_FAILED for you, then tnz need at least one enhancement - provide the ability to specify a client certificate. If you would be willing to try out such an enhancement, I can create a PR with such support.

folk-digital commented 5 months ago

Neil, sorry for late!

I really appreciate your interest to help me with my specific use case!

I would be willing to try out such an enhancement and contribute anyway, but I'll only time availability after May 5, because I'm committed another project now.

After this date I will be able to resume my attempts to make TNZ work as an alternative to HOD in my use case and propose PR for you to analyze! If you also have availability, of course!

See you later and thank you for taking the time to help me!